Looking at Firewall Technology
The final component of VPN-1/FW-1 is the actual firewall module. The firewall module enforces NAT, access control, logging, content security, and user , client, and session authentication services. The firewall module contains, among other functions, the inspection module that actually makes control decisions, based on the Security Policy, on how to handle traffic attempting to traverse the firewall s network interfaces. VPN-1/FW-1 uses a Check Point-patented technology called Stateful Inspection to examine IP data packets, and after applying knowledge of previous communication and the Security Policy, decide what action to perform on that data.
To understand the benefits of Stateful Inspection to control network traffic, it is necessary to look at the other types of firewall technology available today. The next few sections examine proxy or application gateway and packet filtering device technology and compare the advantages and disadvantages with those of Check Point s Stateful Inspection firewall technology.
Proxy Server versus Packet Filter
When comparing firewall technology, it is necessary to consider the layer of the Open System Interconnection (OSI) reference model where the firewall inspects traffic. Table 1.1 lists the seven layers of the OSI reference model and explains the type of data at each layer. In general terms, firewalls that inspect close to the top of the model have very detailed control over application-specific data, whereas firewalls inspecting farther down the model have less control over many types of traffic. As well, the position of the firewall s control module in the IP stack has an effect on how much of the underlying OS can be exposed to unfiltered traffic.
| OSI Layer | Function |
|---|---|
| 7 - Application Layer | Provides a set of interfaces allowing applications network access |
| 6 - Presentation Layer | Converts application data into a generic format for transmission |
| 5 - Session Layer | Allows two network devices to hold ongoing communication (session) |
| 4 - Transport Layer | Manages the transmission of the data on the network (packet sizes, and so forth) |
| 3 - Network Layer | Addresses packets by resolving physical addresses from logical names |
| 2 “ Data Link Layer | Translates physical frame data into network layer format (NIC drivers) |
| 1 - Physical Layer | Converts bits into signals (NIC and network medium at this layer) |
Packet filtering examines data at the Network layer of the OSI model. This allows the packet filter device to apply a user-defined rule base on the source and destination service port and IP address only. Although this is relatively effective and can be made completely transparent to users, it is also often difficult to configure and maintain as your rule set grows. Packet filtering is inexpensive and can be found in many network devices from entry-level routers to enterprise firewall solutions. Packet filtering can offer complete application transparency and greater data throughput performance than application or proxy gateways.
The limitations of the packet filtering method of controlling data stem from the inability to apply rules to data above the network layer. This ignores a large part of the data packet when making a control (allow or deny) decision. In addition to often being difficult to configure and monitor due to their command-line only interface, packet filtering does not provide detailed logging of network data, again because of the lack of knowledge of the packets contents above layer three and the simplicity of the devices often used. Since the packet filter device cannot keep or use application or session state to make decisions on what to do with specific data packets and subsequent connections, and only having a limited ability to manipulate traffic (such as address substitution), it is often considered to have a lower security level than a proxy or Stateful Inspection solution.
Application gateway (often called proxy) firewalls inspect network data at the very top of the OSI model, the Application layer. By using the underlying OSs IP stack, this typically gives the proxy firewall more detailed control over the applications data since packets are fully decoded before a decision to pass or drop the traffic is made. This provides good security, but only for applications that the proxy is aware of; as new applications are introduced new proxy components must be developed, which is a long and programming- intensive process.
The main disadvantages of the proxy firewall technology are that the gateway cannot always be made transparent to the users and that the firewall is more vulnerable to OS or application security problems and bugs than other technologies, because the firewall sits so high on the IP stack. Proxies also have problems supporting User Datagram Protocol (UDP), Remote-Procedure Call (RPC), and other common connectionless services and protocols, such as Internet Control Message Protocol (ICMP).
Furthermore, even though application gateways inspect at the Application layer, they typically only enforce basic protocol rules and have no dedicated attack protection and prevention. Many attacks today (Nimda, Code Red, and so forth) are designed to conform to protocol specifications and exploit weaknesses in the design of the application running. By designing worms and exploits in this manner, these attacks often pass right through an application gateway or proxy server to the destination server, exploiting it.
Performance and Scalability
The need to continuously increase the Internet bandwidth available to your network to support new applications and services, as well as the need to segregate other high-speed networks, makes performance and scalability a high priority for any firewall solution. The ability of a solution to fit your current needs and grow as your network grows needs to be considered alongside the overall feasibility of the solution to fill your security requirement.
Although a proxy firewall can provide good security, scaling up to new applications is not always easy. Each application or protocol (such as HTTP or FTP) needs to have its own application gateway; this makes controlling new applications difficult and sometimes impossible ” especially for proprietary applications and protocols. The performance or data throughput of a proxy solution is often lower, and the latency higher, than other options, since data must be decoded all the way up to the Application layer before a control decision can be made. In addition, the maintenance of terminating a connection, decoding of the packets, and creating a new connection outbound require more processing and because they are a function of the OS and not the application, connection information is difficult, if not impossible , to synchronize across multiple gateways to provide transparent failover.
Packet filters, on the other hand, often scale up to large installations easily. This is partially due to the fact that the packet-filtering firewall is often built into network routers and switches and, as such, can operate at or near network line speed. This makes packet filtering scale up with growth very easily since most networks already use routers; it is just a matter or purchasing devices capable of filtering and installing them where needed, and creating some rules. Even when built as an application running on a server, from the performance side, the packet filtering firewall is inspecting at a lower layer of the OSI model, meaning less processing overhead is introduced and greater throughput can be achieved. It is for these reasons that packet filtering is often used at the edges, or borders, of the network to reduce the volume of traffic before passing it to a firewall that can provide better security. It is easiest to think of this implementation as a kind of basic filter applied to the data stream; once you have reduced the volume of noise, you can use a more secure firewall, which may or may not perform at a lower rate to provide fine control over the network data.
FireWall-1 s Inspection Engine
FW-1 s Inspection Engine inspects all data inbound and outbound on all of the firewall s network interfaces. By inserting it into the Transmission Control Protocol (TCP)/IP stack between the Data Link and Network layer, the Inspection Engine is running at the lowest level of the OSI model accessible by software, since the Data Link layer is actually the NIC driver and the Network layer is the first layer of the IP protocol stack.
With FW-1 inspecting data at the lowest point possible, it is possible to keep state and context information from the top five layers of the OSI model that can be used when making control decisions. To obtain this state information, the Inspection Engine examines the source and destination service port and IP address fields from the data packets as well as other application information. This data is then used to determine what action to take based on the Security Policy. Figure 1.7 shows an overview of the firewall s position during a typical session between a client and server, as well as an overview of how data flows through the inspection module.
Figure 1.7: FireWall-1 Data Flow and Inspection Engine Detail
The Stateful Inspection technology maintains two types of state information. The communication-derived state is information that is gained from previous communication. For example, the Inspection Engine will note an outgoing FTP PORT command and will allow the incoming FTP data session to pass through to the client even though the data session on TCP port 20 is completely separate from the control session between a client and server on TCP port 21. The application-derived state is information saved by FW-1 from other applications, such as a user authenticating to the firewall to be allowed HTTP access, and can also be allowed HTTPS access if both rules in the Security Policy require the same type of authentication.
Collecting state and context information allows FW-1 to not only track TCP sessions, but also connectionless protocols such as UDP or RPC. Consider a standard DNS query; if the query were done with TCP, tracking the response would be easy, since it would be part of the established connection between the client and the server. However, DNS queries are always done with UDP, usually on port 53 (TCP port 53 being used for DNS zone transfers); this complicates allowing the DNS response to pass through the firewall since it is not part of an existing connection. A packet-filtering device would have to allow defined (or all) hosts to send UDP port 53 data to the client at any time, regardless of whether or not a request was made, since no application tracking can be done. In contrast, by keeping state information, FW-1 will be expecting a DNS response from a specific server after recording that the client had made a request, which was permitted by the Security Policy, into the state tables. To make this work, FW-1 allows data on UDP port 53 from the server back to the client that made the request, but this open port is only held open until a user-configurable timeout has expired , and then it will be closed again. This ensures that a request must go out from the client before any data from the server will be accepted, and that if no response is received, the port will not be held in an open state.
Performance and Scalability
Controlling traffic using Stateful Inspection is very efficient and introduces minimal load to the firewall and very little latency to the network data stream. This is partly because the Inspection Engine is inserted into the OS kernel, allowing it to control data quickly and efficiently , but also because of the use of state tables to help make control decisions. As Figure 1.6 shows, incoming data packets are compared to information in the state tables before evaluating the rules in the
 |
Caveat Emptor
Be aware when comparing differing firewall technologies, that even though Check Point developed Stateful Inspection in 1993 and is the undisputed market leader in the firewall marketplace , there are many products out there riding on Check Point s coattails, which claim to use Stateful Firewalling, Stateful Packet Filtering, Deep Packet Inspection, or even Stateful Inspection itself. However, unless the product itself has been certified by Check Point and runs Check Point s software (i.e., Secured by Check Point Appliances), its capabilities are not as flexible, robust, and secure. Today, even free software can enforce the three-way handshake of TCP and dynamically open ports for FTP, but being able to enforce very stringent security for uncommon or complex protocols like SQL*Net, SIP and H.323, and being able to differentiate encrypted protocols from each other (without terminating the secure connection) like SSH v1 from v2 or SSL v2 from v3, is where you see the real difference between Check Point and its competitors .
Check Point s solution, built ground-up on the Inspection Engine, three-tiered management infrastructure, and a GUI-based management, is the only solution available today that can provide the security, flexibility, manageability, integration, and scalability in a single solution to meet the needs of small, medium, and large organizations alike. In addition to the unique technology Check Point provides, the OPSEC Alliance of best-of-breed third-party companies ensures that your investment can also meet your needs in the future without locking you into a single vendor s chosen solution.
| |
Security Policy. Since the state tables are kept in kernel memory, access to them is considerably faster than checking the rule base rule by rule, which allows traffic to be handled faster. To help increase performance of the Security Policy, try to keep frequently used rules near the top of the rule base; this will help to ensure that the minimum number of rules will need to be evaluated before making a control decision.
Adding encryption or logging with the account option will add a noticeable amount of overhead to your firewall. Performance is always traded for additional functionality, but purchasing or upgrading to a faster hardware platform will help to relieve most performance problems if your network grows beyond what your existing firewall was built to serve. For firewalls doing a lot of encryption, consider using a multiple CPU machine or adding a hardware encryption accelerator to handle some of the load.
Taking advantage of the VPN-1/FW-1 distributed design helps not only with scalability, but also with performance issues. As your network grows, you can add additional firewalls, either in a clustered load-balancing configuration or as stand-alone enforcement points, to spread different functions to separate gateways. Transparent high availability and load sharing can be achieved because the state information stored in the kernel memory is synchronized with all other cluster members , thus allowing them to immediately take over for a down system without effecting the connection. For example, some medium- sized organizations use one firewall for outbound user traffic (such as HTTP and FTP access) and for protecting an Intranet segment, a second firewall to provide inbound services such as access to the corporate Web servers, for internal and external (Internet) users, and a third machine to serve as a VPN gateway for employees and business partners . Since a single management server can manage multiple firewalls, scaling up to new growth and application demands by adding another firewall, when a simple hardware upgrade will not meet the performance requirement, can be done quickly and easily without significantly increasing your management overhead.
![Check Point NG[s]AI](/icons/blank_book.jpg "Check Point NG[s]AI"){kind=icon}